From patchwork Fri Mar  7 11:19:54 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Kazior <michal.kazior@tieto.com>
X-Patchwork-Id: 3789861
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 156229F35F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  7 Mar 2014 11:25:30 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 30DEE202B4
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  7 Mar 2014 11:25:29 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 851932017D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  7 Mar 2014 11:25:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751573AbaCGLZX (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 7 Mar 2014 06:25:23 -0500
Received: from mail-ee0-f42.google.com ([74.125.83.42]:45051 "EHLO
	mail-ee0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751365AbaCGLZX (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 7 Mar 2014 06:25:23 -0500
Received: by mail-ee0-f42.google.com with SMTP id d17so1679016eek.29
	for <linux-wireless@vger.kernel.org>;
	Fri, 07 Mar 2014 03:25:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=RS73n1nmCFzZ/7NNxuaRR2uZLfNtg79w6NsJsu1V1h0=;
	b=W/lJlbDQzosNA+9OyS93v0/SRxFdomFnUoOyXQRqK7jZdxUk0SsnoVo8ECzU/EkOG9
	d+NeaRJJMbqerH+/UsHzD6P6MPfGcTK7nfMPAIuXBTf+c/U7F5FfWk3AK0Va9dziFv1W
	KE7cKBKVoS6gT/3lTT3jO8CC5F8vsRTkYYyZw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=RS73n1nmCFzZ/7NNxuaRR2uZLfNtg79w6NsJsu1V1h0=;
	b=edm57/xG856WCAQiE+z4I5OQl2nUZQKdIT+u0S3osCswK16rm/Xd4A+qLGxi6xHIFJ
	FGcb31TXtKdwEpgQJdCI5nxh9+ZUSlhDB/96Mc0ikQUEcnzMwGYf+w2LOHRYlhQn2F/E
	wJH9FMCgljrpm0sH2WJFqESaQTbUEiNJpJqU76rSV81CAJvTaqSTHAv2vlrd+hx950pR
	LaIyWYqqPmYZTYwNVmXMVIa7MHRU5zeMoTnNEd6mkYifqOYqMmyCDy4lblNyijY+PWdH
	cbUkQAiP0MgvG09JO4CUHGrI6e0ILvvSql4A8RRp/tLKtZQu3GurLEFr9yobkPOHXVp6
	9k7Q==
X-Gm-Message-State: 
 ALoCoQkWNNgG5F+0mD+9BhWzIzAMaP9rMobwZr15Raq7YQHGd8S79f8VdERDUwFNWGpDyiZ3biuxgeZjBywXPIwUeR0AxHuKJ46qotgYhifREszDDoBFgSE=
X-Received: by 10.14.103.134 with SMTP id f6mr18434960eeg.41.1394191522064;
	Fri, 07 Mar 2014 03:25:22 -0800 (PST)
Received: from localhost.localdomain ([91.198.246.8])
	by mx.google.com with ESMTPSA id 48sm5532393eee.2.2014.03.07.03.25.20
	for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 07 Mar 2014 03:25:21 -0800 (PST)
From: Michal Kazior <michal.kazior@tieto.com>
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net, Michal Kazior <michal.kazior@tieto.com>
Subject: [PATCH 1/3] mac80211: fix racy usage of chanctx->refcount
Date: Fri,  7 Mar 2014 12:19:54 +0100
Message-Id: <1394191196-6425-1-git-send-email-michal.kazior@tieto.com>
X-Mailer: git-send-email 1.8.5.3
X-DomainID: tieto.com
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Channel context refcount is protected by
chanctx_mtx. Accessing the value without holding
the mutex is racy. RCU section didn't guarantee
anything here.

Theoretically ieee80211_channel_switch() could
fail to see refcount change and read "1" instead
of, e.g. "2". This means mac80211 could accept CSA
even though it shouldn't have.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
 net/mac80211/cfg.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index aaa59d7..a79875c 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -3233,23 +3233,23 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
 				       &sdata->vif.bss_conf.chandef))
 		return -EINVAL;
 
-	rcu_read_lock();
+	mutex_lock(&local->chanctx_mtx);
 	chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
 	if (!chanctx_conf) {
-		rcu_read_unlock();
+		mutex_unlock(&local->chanctx_mtx);
 		return -EBUSY;
 	}
 
 	/* don't handle for multi-VIF cases */
 	chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, conf);
 	if (chanctx->refcount > 1) {
-		rcu_read_unlock();
+		mutex_unlock(&local->chanctx_mtx);
 		return -EBUSY;
 	}
 	num_chanctx = 0;
 	list_for_each_entry_rcu(chanctx, &local->chanctx_list, list)
 		num_chanctx++;
-	rcu_read_unlock();
+	mutex_unlock(&local->chanctx_mtx);
 
 	if (num_chanctx > 1)
 		return -EBUSY;